Filtered by vendor Sap
Subscriptions
Total
1586 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37180 | 1 Sap | 1 Sap Basis | 2025-10-29 | 4.1 Medium |
| Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information with low impact on confidentiality of the application. | ||||
| CVE-2024-39594 | 1 Sap | 2 Business Warehouse, Business Warehouse Virtual Comp | 2025-10-29 | 6.1 Medium |
| SAP Business Warehouse - Business Planning and Simulation application does not sufficiently encode user controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause low impact on the confidentiality and integrity of the application. | ||||
| CVE-2024-25646 | 1 Sap | 1 Businessobjects Web Intelligence | 2025-10-29 | 7.7 High |
| Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. | ||||
| CVE-2025-42968 | 1 Sap | 1 Netweaver | 2025-10-27 | 5 Medium |
| SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. | ||||
| CVE-2025-42986 | 1 Sap | 3 Abap Platform, Netweaver, Sap Basis | 2025-10-27 | 4.3 Medium |
| Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | ||||
| CVE-2025-42956 | 1 Sap | 1 Sap Basis | 2025-10-27 | 6.1 Medium |
| SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application. | ||||
| CVE-2025-0053 | 1 Sap | 1 Sap Basis | 2025-10-24 | 5.3 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits. | ||||
| CVE-2025-0058 | 1 Sap | 1 Sap Basis | 2025-10-24 | 6.5 Medium |
| In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable. | ||||
| CVE-2025-0060 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | 6.5 Medium |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as a high privileged user causing high impact on confidentiality and integrity of the application. | ||||
| CVE-2025-0061 | 2 Sap, Sap Se | 2 Businessobjects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2025-10-24 | 8.7 High |
| SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application. | ||||
| CVE-2025-0063 | 1 Sap | 1 Sap Basis | 2025-10-24 | 8.8 High |
| SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability. | ||||
| CVE-2025-25245 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | 5.4 Medium |
| SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability. | ||||
| CVE-2025-31332 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | 6.6 Medium |
| Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability. However, this vulnerability does not disclose any sensitive data. | ||||
| CVE-2025-42920 | 1 Sap | 1 Supplier Relationship Management | 2025-10-24 | 6.1 Medium |
| Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected. | ||||
| CVE-2024-34687 | 1 Sap | 1 Sap Basis | 2025-10-23 | 6.5 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. Hence, this could have impact on Confidentiality, Integrity and Availability of the system. | ||||
| CVE-2025-0066 | 1 Sap | 4 Abap Platform, Netweaver Abap, Netweaver As Abap and 1 more | 2025-10-23 | 9.9 Critical |
| Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application | ||||
| CVE-2025-0064 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | 8.7 High |
| Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability. | ||||
| CVE-2025-23193 | 1 Sap | 1 Sap Basis | 2025-10-23 | 5.3 Medium |
| SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability. | ||||
| CVE-2025-30009 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | 6.1 Medium |
| he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application | ||||
| CVE-2025-30010 | 1 Sap | 1 Supplier Relationship Management | 2025-10-23 | 6.1 Medium |
| The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application. | ||||